# Crypto Spec Generator > Draft and validate Cryptographic Key Management & Encryption Standard (NIST CSF 2.0 PR.DS). Ensures FIPS 140-3–aligned algorithms and key lifecycle; flags legacy algorithms (SHA-1, 3DES, etc.) for 2026-era compliance. Tags: NIST CSF, Encryption, Key Management, FIPS 140-3, GRC, Data Security ## Example Prompts - Draft our Cryptographic Key Management & Encryption Standard for PR.DS - Define algorithms and key lengths for data at rest, in motion, and in use - Check this crypto policy for legacy algorithms and fix for 2026 compliance URL: https://rakenne.app/skills/crypto-spec-generator/index.md Try this skill: https://rakenne.app/a/?skill=crypto-spec-generator ## Overview Draft and validate a **Cryptographic Key Management & Encryption Standard** for NIST CSF 2.0 PR.DS (Data Security). The skill helps you document key lifecycle (generation, storage, rotation, destruction), define algorithms and bit-lengths for data at Rest, Motion, and Use per FIPS 140-3, and keep narrative aligned with 2026-era NIST guidance. A built-in validation tool scans the draft for legacy algorithms (e.g. SHA-1, 3DES, MD5, RC4) and reports non-compliance before you finalize. ## Example Conversation > **You:** We need a Cryptographic Key Management & Encryption Standard for PR.DS. Define algorithms for data at rest, in motion, and in use, and add key lifecycle. Then run the compliance check. > **Agent:** I'll draft the standard using the skill's references (FIPS 140-3, Rest/Motion/Use). I'll specify AES-256-GCM for symmetric encryption, SHA-256+ for hashing, RSA-2048 minimum (RSA-4096 for high assurance), and document key generation, storage, rotation, and destruction. Then I'll run `quantum_readiness_checker` on the draft. > **Agent:** *(Writes the standard and runs the checker.)* `quantum_readiness_checker` found "3DES" in the legacy systems section. I'll replace that with a note to migrate to AES-256 and re-run. > **Agent:** Re-ran the checker — PASS. No legacy algorithms remain in the normative sections. The standard is ready for review. ## Output Excerpt A typical standard includes scope, algorithm requirements by data state, and key lifecycle. Excerpt: ```markdown ## Algorithm and key-length requirements | Data state | Symmetric | Hashing | Asymmetric | |------------|-----------------|-----------|--------------------| | Rest | AES-256-GCM | SHA-256+ | RSA-2048 min. | | Motion | AES-256-GCM | SHA-256+ | TLS 1.2+; RSA-2048+| | Use | AES-256-GCM | SHA-256+ | RSA-2048 min. | Legacy algorithms (SHA-1, 3DES, MD5, RC4, RSA-1024) must not be used for new systems; existing use must be migrated by [date]. ``` The quantum readiness checker would FAIL if the document still recommended SHA-1 or 3DES; after replacing them with approved alternatives, the check passes. ## Extension Tools and Validations **`quantum_readiness_checker`** scans the crypto/key management document for legacy or deprecated algorithm references and reports 2026-era NIST non-compliance: - **Patterns detected** — SHA-1, SHA-224, 3DES/TDEA, DES, MD5, RC4, RSA-1024 (and common variants). - **Output** — For each finding: algorithm label, NIST-aligned recommendation (e.g. "Use AES-256-GCM"), and a short context snippet from the document. - **Result** — PASS when no legacy references are found; FAIL with a numbered list of findings to fix. Run this tool after drafting or updating the standard; resolve all findings and re-run until the report shows PASS before finalizing. ## Getting Started Add any existing crypto or key-management policy to the project workspace and activate the *Crypto Spec Generator* skill. The agent will draft or update the standard using the bundled FIPS 140-3 and PR.DS references, then run `quantum_readiness_checker` so the document is compliant with 2026-era NIST standards. --- Back to [Skill Library](https://rakenne.app/skills/index.md)